None of the out-of-the-box syslogd regex ueiMatch statements work
Description
Environment
Acceptance / Success Criteria
Lucidchart Diagrams
Activity
Seth Leger March 6, 2017 at 12:14 PM
This was resolved by ensuring that the <match> expression is only applied to the final "message" portion of the syslog datagram. Previously, the process name and ID or potentially the entire syslog message was passed to the expression which is unnecessary.
commit c0d09c72b26b4073671749c07d0dcfa98b6f86ec
Cyrille Bollu May 6, 2014 at 10:00 AM
Good to know: Events are triggered when I change the out-of-the-box ueiMatch for this event, by adding a '.*?' in front of the regular expression
So, this ueiMatch works for me:
<ueiMatch>
<process-match expression="^sshd$" />
<match type="regex" expression="^.?Failed (.?) for (\S+) from (.*?) port (\d+) ssh(\d)$" />
^
- Here is the '.*?' pattern added
<uei>uei.opennms.org/vendor/openssh/syslog/sshd/passwordFailure</uei>
<parameter-assignment matching-group="1" parameter-name="authMethod" />
<parameter-assignment matching-group="2" parameter-name="user" />
<parameter-assignment matching-group="3" parameter-name="remoteHost" />
<parameter-assignment matching-group="4" parameter-name="remotePort" />
<parameter-assignment matching-group="5" parameter-name="protocolVersion" />
</ueiMatch>
None of the out-of-the-box syslogd ueiMatch work
For example, the following easily reproductlible syslog message never creates an event:
Failed password for support from 2001:6a8:3c80:8004:a17e:2b7b:762f:3e65 port 60387 ssh2
My syslogd configuration is the following:
<configuration
syslog-port="10514"
new-suspect-on-message="false"
parser="org.opennms.netmgt.syslogd.CustomSyslogParser"
forwarding-regexp="^((.+?):? (.*))\n?$"
matching-group-host="2"
matching-group-message="3"
discard-uei="DISCARD-MATCHING-MESSAGES"
/>